Symantec IGA

  • Private Community

  • 1.  Move Users of a Rol to other in IDM

    Posted Mar 19, 2010 08:43 AM
    Hello Community   I have three clients with CA Identity Manager r12 CR09, and need to move the roles of users as they move from department.    In the companies there are policies associated with roles, where users are moved from department the current role is delete and loads the new role.    The problem is that when you make the change of department, the user is deleted from Active Directory to remove the rol the newly created when it is assigned the new role, but in eliminating lost their credentials, settings, password, etc..    My question is whether you can move the user, or when it is moved between departments, removing the role and assign the new role, but if it be deleted from Active Directory to maintain their credentials.    There must be a development (Exit Program) for performing the function of moving the user?.    Thanks for your help and comments    Sebastian Antunez  Santiago Chile


  • 2.  Re: Move Users of a Rol to other in IDM

    Posted Mar 24, 2010 03:46 AM
    I assume, you are referring to AD groups as roles ?


  • 3.  Re: Move Users of a Rol to other in IDM

    Posted Mar 29, 2010 06:47 AM
    Hello  The client need move the users throught of Roles based in Active Directory.  Example.  The users santunez have the Role "System Consulting" with Policies of Active Directory (Group Members, Container, Manager, etc), and the users is changed of deparment "System DBA". Exist a Role called "System DBA" with all the policies of is Role. When the users is changed is delete of Active Directory and is created with the new role.   The client needs to move the user, without being removed from active directory because it loses all his credentials when changing department.    Best Regards


  • 4.  Re: Move Users of a Rol to other in IDM

    Posted Apr 15, 2010 08:17 PM
    I think it's designed behavior.

    If the customer manage all the account credentials via global user password, they should not lose the account credentials.

    It seems they can deploy the password sync agent on the active directory domain controller to sync the AD account password with the Global User password when they changing AD account password via third-party tools.

    Thanks,

    Yong


  • 5.  Re: Move Users of a Rol to other in IDM

    Posted Apr 28, 2010 01:00 PM
    Hello   Were tested and when the user moves the department and is assigned the role, it is deleted in Active Directory and recreated the user.

    PSYNC was installed in AD but still have the inconvenience.     Thanks


  • 6.  RE: Re: Move Users of a Rol to other in IDM

    Posted Sep 08, 2010 01:27 PM
    Santunez,
    We have had the same issue in R8. We are just now upgrading to R12.5 sp2 (still in development) and I am thinking through this issue.


    What is the policy / template that is in your role. For ours in R8 is was and Active Directory Object with an Exchange Mailbox.
    I haven't tested but is there a way to have the distribution lists on one policy and the Active Directory Object and Mailbox on another.
    I am about to the stage where I can start testing scenarios.

    What things have you tried?
    Is this due to a strong sync? Have you tried turning strong sync off?
    I know that when you make the change manually in R8 you are prompted with should accounts be deleted and then you have the chance to say "NO". But automating has been an issue.

    If you have resolved this issue, please, post back telling how.

    Thank you,
    Glenda


  • 7.  RE: Move Users of a Rol to other in IDM

    Posted Sep 24, 2010 02:48 PM
    You can use a event Policy Xpress with only "add action when matched" actions. In this policy configure "add role with event " actions to add the new roles first and then remove all other ones.

    Be sure to configure the addition of new roles prior to remove anything because the actions are taken in the sequence that you declare them.

    This way the policy will add the new role first, avoiding the deletion of the account from AD when the old role is removed from user.


  • 8.  RE: Move Users of a Rol to other in IDM

    Posted Dec 09, 2010 01:54 PM
    My experience is to have a basic AD provisioning role that is never removed which will prevent the user from being deleted. This will prevent the users from being deleted from AD. You will use other roles to manage group and ou settings.


  • 9.  RE: Move Users of a Rol to other in IDM

    Posted Jun 14, 2011 09:25 AM
    Hi - I just wanted to check to see if this is still a problem for you, as the thread has a status of "Waiting for an answer".

    If not resolved, please contact CA Support, and we'll do our best to provide some guidance for this issue.

    Best regards,
    Tom